Data Processing Agreement
This Data Processing Agreement (DPA) sets out how ithouse processes personal data on your behalf when you use our services, in line with Article 28 of the GDPR. It forms part of our Terms of Service.
1. Introduction and parties
This DPA is entered into between ithouse ApS ("Processor") and the customer ("Controller") and applies where ithouse processes personal data on the Controller’s behalf in providing the Services. It supplements and forms part of our Terms of Service.
Where there is a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails.
2. Definitions
Terms such as “personal data”, “processing”, “data subject”, “controller”, “processor”, and “supervisory authority” have the meanings given to them in the GDPR (Regulation (EU) 2016/679). “Sub-processor” means any third party engaged by the Processor to process personal data on the Controller’s behalf.
3. Roles and scope
The Controller determines the purposes and means of processing the personal data contained in Customer Content. The Processor processes that personal data solely to provide the Services and only on the Controller’s documented instructions, including those set out in this DPA and the Terms.
4. Details of processing
The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are described in Annex I below. The Processor will process personal data for the duration of the Services unless otherwise agreed or required by law.
5. Processing instructions
The Processor will process personal data only on the Controller’s documented instructions, including with regard to international transfers, unless required to do otherwise by EU or member-state law (in which case it will inform the Controller, unless prohibited). The Processor will promptly inform the Controller if, in its opinion, an instruction infringes the GDPR.
6. Confidentiality
The Processor ensures that persons authorised to process the personal data are bound by confidentiality obligations and have received appropriate data protection training, and limits access to those who need it to provide the Services.
7. Security measures
Taking into account the state of the art and the risks of processing, the Processor implements appropriate technical and organizational measures under Article 32 of the GDPR. A summary of these measures is set out in Annex II below.
8. Sub-processors
The Controller grants general authorisation for the Processor to engage sub-processors to support the Services. A current list is set out in Annex III below. The Processor will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for their performance.
The Processor will give the Controller reasonable prior notice of any intended addition or replacement of a sub-processor, allowing the Controller to object on reasonable data-protection grounds.
9. Assistance with data subject rights
Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under the GDPR. If a request is made directly to the Processor, it will forward it to the Controller and not respond directly unless authorised.
10. Personal data breaches
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and will provide information reasonably necessary to enable the Controller to meet its own breach-notification obligations, together with reasonable assistance in investigating and mitigating the breach.
11. Data protection impact assessments
The Processor will provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to the Processor.
12. International transfers
The Processor processes personal data within the EU/EEA by default. Where a transfer outside the EU/EEA is necessary, it will be carried out under an adequacy decision or the European Commission’s Standard Contractual Clauses, with supplementary measures where required.
13. Return and deletion of data
On termination of the Services, the Processor will, at the Controller’s choice, delete or return the personal data and delete existing copies, unless EU or member-state law requires storage. The Controller may export Customer Content for a limited period after termination before deletion.
14. Audits
The Processor will make available information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits, and in a manner that does not compromise the security of other customers.
15. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
16. Term
This DPA takes effect when you accept the Terms of Service or begin using the Services and remains in force for as long as the Processor processes personal data on the Controller’s behalf.
17. Annex I — Details of processing
Subject matter: provision of Managed Enterprise Hosting and related services.
Duration: the term of the Services.
Nature and purpose: hosting, storage, transmission, caching, backup, security filtering, and support in connection with Customer Content.
Types of personal data: any personal data contained in the Controller’s websites, applications, databases, and files — which may include names, contact details, account identifiers, IP addresses, and transaction data of the Controller’s end users.
Categories of data subjects: the Controller’s customers, end users, employees, and any individuals whose data is contained in Customer Content.
18. Annex II — Technical and organizational measures
- Encryption of data in transit (TLS) and support for encryption at rest;
- Access control with least-privilege, role-based permissions and multi-factor authentication for administrative access;
- Network security including a web application firewall, DDoS protection (L4–L7), and network segmentation;
- Malware protection with antivirus and anti-malware scanning;
- Monitoring and logging with continuous, proactive monitoring and alerting;
- Resilience through regular backups and tested restore procedures;
- Organizational measures including staff confidentiality, security training, and incident response procedures.
19. Annex III — Sub-processors
The Processor engages the following categories of sub-processors to provide the Services. This list is representative and will be kept current; specific providers may change with prior notice as described in section 8.
| Sub-processor | Purpose | Location |
|---|---|---|
| Bunny.net | Global CDN and edge content delivery | EU (Slovenia) |
| Payment provider | Subscription billing and payment processing | EU/EEA |
| Email delivery provider | Transactional and service email | EU/EEA |
| Monitoring provider | Uptime, performance, and security monitoring | EU/EEA |
20. Contact
For questions about this DPA or to submit a data-protection request, contact us at hello@ithouse.com or write to ithouse ApS, Herstedvang 8, 2620 Albertslund, Denmark · CVR/VAT DK40780297.